cd-preview-argocd.yml

name: |-
  CD - Deploy to EKS Preview envs with Helmfile
  
  Deploy Docker image to ECS Preview envs with Helmfile
  
  ### Usage 
  
  ```yaml
    name: Feature Branch
    on:
      pull_request:
        branches: [ 'master' ]
        types: [opened, synchronize, reopened, closed, labeled, unlabeled]
  
    jobs:
      cd:
        uses: cloudposse/github-actions-workflows/.github/workflows/cd-preview-helmfile.yml@main
        if: $\{\{ always() \}\}
        with:
          image: registry.hub.docker.com/library/nginx
          tag: latest
          repository: $\{\{ github.event.repository.name \}\}
          open: $\{\{ github.event.pull_request.state == 'open' \}\}
          labels: $\{\{ toJSON(github.event.pull_request.labels.*.name) \}\}
          ref: $\{\{ github.event.pull_request.head.ref \}\}
          exclusive: false
          env-label: |
            preview: deploy
        secrets:
          secret-outputs-passphrase: $\{\{ secrets.secret-outputs-passphrase \}\}
          github-private-actions-pat: $\{\{ secrets.github-private-actions-pat \}\}
  ```

on:
  workflow_call:
    inputs:
      image:
        description: "Docker Image to deploy"
        required: true
        type: string
      tag:
        description: "Docker Image tag to deploy"
        required: true
        type: string
      organization:
        description: "Repository owner organization (ex. acme for repo acme/example)"
        required: true
        type: string
      repository:
        description: "Repository name (ex. example for repo acme/example)"
        required: true
        type: string
      ref:
        description: "The fully-formed ref of the branch or tag that triggered the workflow run"
        required: true
        type: string
      open:
        description: "Pull Request open/close state. Set true if opened"
        required: true
        type: boolean
      labels:
        description: "Pull Request labels"
        required: false
        type: string
        default: "{}"
      toolchain:
        description: "Toolchain ('helm', 'helmfile')"
        required: false
        default: "helmfile"
        type: string
      path:
        description: "The path where lives the helmfile or helm chart."
        required: true
        type: string
      values_file:
        type: string
        description: Helmfile values file, or helm chart values file
        default: ""
        required: false
      exclusive:
        description: "Deactivate previous GitHub deployments"
        required: false
        type: boolean
        default: true
      env-label:
        description: "YAML formatted {environment}: {label} map"
        type: string
        default: |
          preview: deploy
      synchronously:
        type: boolean
        description: "Wait until ArgoCD successfully apply the changes"
        default: false
      runs-on:
        description: "Overrides job runs-on setting (json-encoded list)"
        type: string
        required: false
        default: '["ubuntu-latest"]'
    secrets:
      secret-outputs-passphrase:
        description: "Passphrase to encrypt/decrypt secret outputs with gpg. For more information [read](https://github.com/cloudposse/github-action-secret-outputs)"
        required: true
      github-private-actions-pat:
        description: "Github PAT allow to pull private repos"
        required: true

permissions:
  pull-requests: write
  deployments: write
  id-token: write
  contents: read

jobs:
  preview:
    runs-on: ${{ fromJSON(inputs.runs-on) }}
    steps:
      - name: Preview deployments controller
        uses: cloudposse/github-action-preview-environment-controller@0.11.0
        id: controller
        with:
          labels: ${{ inputs.labels }}
          open: ${{ inputs.open }}
          env-label: ${{ inputs.env-label }}

    outputs:
      namespace: ${{ inputs.ref }}
      labels_env: ${{ steps.controller.outputs.labels_env }}
      deploy_envs: ${{ steps.controller.outputs.deploy_envs }}
      destroy_envs: ${{ steps.controller.outputs.destroy_envs }}


  deploy:
    runs-on: ubuntu-latest
    needs: [ preview ]
    if: ${{ needs.preview.outputs.deploy_envs != '[]'  }}
    strategy:
      matrix:
        env: ${{ fromJson(needs.preview.outputs.deploy_envs) }}
    environment:
      name: ${{ matrix.env }}
      url: ${{ steps.deploy.outputs.webapp-url }}
    steps:
      - uses: cloudposse/github-action-secret-outputs@0.1.2
        id: image
        with:
          secret: ${{ secrets.secret-outputs-passphrase }}
          op: decode
          in: ${{ inputs.image }}

      - name: Deactive environment
        uses: bobheadxi/deployments@v1
        if: ${{ inputs.exclusive }}
        with:
          step: deactivate-env
          token: ${{ github.token }}
          env: ${{ matrix.env }}
          desc: Environment purged

      - name: Checkout
        uses: actions/checkout@v4

      - name: Environment Info
        uses: cloudposse/github-action-interface-environment@0.4.0
        id: environment
        with:
          implementation_repository: cloudposse/actions-private
          implementation_path: 'argocd-environments/'
          implementation_ref: main
          implementation_github_pat: ${{ secrets.github-private-actions-pat }}
          environment: ${{ matrix.env }}
          namespace: ${{ needs.preview.outputs.namespace }}
          repository: ${{ inputs.repository }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          aws-region: ${{ steps.environment.outputs.region }}
          role-to-assume: ${{ steps.environment.outputs.role }}
          role-skip-session-tagging: true

      - name: Deploy
        uses: cloudposse/github-action-deploy-argocd@0.8.1
        id: deploy
        with:
          toolchain: ${{ inputs.toolchain }}
          synchronously: ${{ inputs.synchronously }}
          path: ${{ inputs.path }}
          values_file: ${{ format(inputs.values_file, steps.environment.outputs.name) }}
          application: ${{ inputs.repository }}
          ssm-path: ${{ steps.environment.outputs.ssm-path }}
          aws-region: ${{ steps.environment.outputs.region }}
          cluster: ${{ steps.environment.outputs.cluster }}
          environment: ${{ steps.environment.outputs.name }}
          namespace: ${{ steps.environment.outputs.namespace }}
          image: ${{ steps.image.outputs.out }}
          image-tag: ${{ inputs.tag }}
          operation: deploy
          github-pat: ${{ secrets.github-private-actions-pat }}
          repository: ${{ inputs.organization }}/${{ inputs.repository }}
          ref: ${{ github.sha }}

  destroy:
    runs-on: ubuntu-latest
    needs: [ preview ]
    if: ${{ needs.preview.outputs.destroy_envs != '[]'  }}
    strategy:
      matrix:
        env: ${{ fromJson(needs.preview.outputs.destroy_envs) }}
    permissions:
      pull-requests: write
      deployments: write
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Seek deployment
        uses: cloudposse/github-action-seek-deployment@0.1.1
        id: deployment
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          environment: ${{ matrix.env }}
          ref: ${{ inputs.ref }}
          status: success

      - name: Environment Info
        uses: cloudposse/github-action-interface-environment@0.4.0
        if: ${{ steps.deployment.outputs.id != '' }}
        id: environment
        with:
          implementation_repository: cloudposse/actions-private
          implementation_path: 'argocd-environments/'
          implementation_ref: main
          implementation_github_pat: ${{ secrets.github-private-actions-pat }}
          environment: ${{ matrix.env }}
          namespace: ${{ needs.preview.outputs.namespace }}
          repository: ${{ inputs.repository }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        if: ${{ steps.deployment.outputs.id != '' }}
        with:
          aws-region: ${{ steps.environment.outputs.region }}
          role-to-assume: ${{ steps.environment.outputs.role }}
          role-skip-session-tagging: true

      - name: Destroy
        uses: cloudposse/github-action-deploy-argocd@0.8.1
        if: ${{ steps.deployment.outputs.id != '' }}
        id: deploy
        with:
          toolchain: ${{ inputs.toolchain }}
          synchronously: ${{ inputs.synchronously }}
          path: ${{ inputs.path }}
          application: ${{ inputs.repository }}
          values_file: ${{ format(inputs.values_file, steps.environment.outputs.name) }}
          ssm-path: ${{ steps.environment.outputs.ssm-path }}
          aws-region: ${{ steps.environment.outputs.region }}
          cluster: ${{ steps.environment.outputs.cluster }}
          environment: ${{ steps.environment.outputs.name }}
          namespace: ${{ steps.environment.outputs.namespace }}
          image: "<none>"
          image-tag: "<none>"
          operation: destroy
          github-pat: ${{ secrets.github-private-actions-pat }}
          debug: false
          repository: ${{ inputs.organization }}/${{ inputs.repository }}
          ref: ${{ github.sha }}

      - name: Inactivate deployment
        uses: chrnorm/deployment-status@v2.0.3
        if: ${{ steps.deployment.outputs.id != '' }}
        with:
          state: inactive
          token: ${{ github.token }}
          deployment-id: ${{ steps.deployment.outputs.id }}

      - name: Cleanup label
        uses: cloudposse/github-action-preview-labels-cleanup@0.1.1
        if: ${{ ! inputs.open }}
        with:
          labels_env: ${{ needs.preview.outputs.labels_env }}
          env: ${{ matrix.env }}